From d748a8dd5946ed2fead665663496bb73d3f6bb5b Mon Sep 17 00:00:00 2001
From: caoqianming <caoqianming@foxmail.com>
Date: Sat, 2 Apr 2022 10:32:09 +0800
Subject: [PATCH] rbac permission bug

---
 apps/system/serializers.py | 5 +++++
 apps/system/views.py       | 3 ++-
 apps/utils/permission.py   | 2 +-
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/apps/system/serializers.py b/apps/system/serializers.py
index 09d8748e..80d14bc1 100644
--- a/apps/system/serializers.py
+++ b/apps/system/serializers.py
@@ -277,6 +277,11 @@ class UserPostSerializer(CustomModelSerializer):
         model = UserPost
         fields = '__all__'
 
+class UserPostCreateSerializer(CustomModelSerializer):
+    class Meta:
+        model = UserPost
+        exclude = EXCLUDE_FIELDS_BASE
+
 
 class UserInfoSerializer(CustomModelSerializer):
     posts_ = UserPostSerializer(source='post', read_only=True)
diff --git a/apps/system/views.py b/apps/system/views.py
index 005acc5c..1ef6d814 100644
--- a/apps/system/views.py
+++ b/apps/system/views.py
@@ -29,7 +29,7 @@ from .serializers import (DeptCreateUpdateSerializer, DeptSerializer, DictCreate
                           FileSerializer, PermissionCreateUpdateSerializer, PermissionSerializer, PostCreateUpdateSerializer, PostSerializer,
                           PTaskCreateUpdateSerializer, PTaskResultSerializer,
                           PTaskSerializer, RoleCreateUpdateSerializer, RoleSerializer,
-                          UserCreateSerializer, UserListSerializer,
+                          UserCreateSerializer, UserListSerializer, UserPostCreateSerializer,
                           UserPostSerializer, UserUpdateSerializer)
 
 logger = logging.getLogger('log')
@@ -253,6 +253,7 @@ class UserPostViewSet(CreateModelMixin, DestroyModelMixin, ListModelMixin, Custo
     perms_map = {'get': '*', 'post': 'user_update', 'delete': 'user_update'}
     queryset = UserPost.objects.select_related('user', 'post', 'dept').all()
     serializer_class = UserPostSerializer
+    create_serializer_class = UserPostCreateSerializer
     filterset_fields = ['user', 'post', 'dept']
 
     def perform_create(self, serializer):
diff --git a/apps/utils/permission.py b/apps/utils/permission.py
index c571a3d3..95da4c23 100644
--- a/apps/utils/permission.py
+++ b/apps/utils/permission.py
@@ -47,7 +47,7 @@ class RbacPermission(BasePermission):
             return False
         user_perms_map = cache.get('perms_' + request.user.id, None)
         if user_perms_map is None:
-            user_perms_map = get_user_perms_map(self.request.user)
+            user_perms_map = get_user_perms_map(request.user)
         if isinstance(user_perms_map, dict):
             if 'superuser' in user_perms_map:
                 return True